CVE-2025-43858
YoutubeDLSharp allows command injection on windows system due to non sanitized arguments
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
YoutubeDLSharp allows command injection on windows system due to non sanitized arguments
YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.
Reserved 2025-04-17 | Published 2025-04-24 | Updated 2025-04-24 | Assigner GitHub_MCWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
github.com/...LSharp/security/advisories/GHSA-2jh5-g5ch-43q5
github.com/...ommit/b6051372bd5af30f95f73de47d9bc71c3a07de0f
github.com/...ommit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50
Support options
